There are multiple ways to store sensitive passwords. And while having choices can be great, in the context of password storage, picking wrong can be a security nightmare. With that in mind, let’s hash out some of your options 🥁🥁.In this article …
I’d like to start by saying that I’m not a security expert. I also won’t link to the exploit. This is a very fresh take on a new vulnerability but there’s already confirmation from Sonatype. The current exploit seems to …
Watch a 10 minute discussion on Log4j, security processes and prioritization, and how Payara dealt with the vulnerability.
Detecting, Investigating and Verifying Fixes for Security Incidents and Zero Day Issues Using Lightrun
Learn about major milestones in app security: finding the issue, evaluating a breach, proving it, and validating the fix!
Java Debug Wire Protocol (a.k.a. JDWP) was designed for testing internally. Opening it to production is a HUGE security and stability risk…
In the past two years, we have had to learn a lot about cybersecurity. New attack vectors are becoming more and more sophisticated and are directed more and more against the value chain in general.
But what does that mean for us? What can be done about it, and what reactions have the state already taken?
In this article, we’re going to look at the differences between the various cybersecurity defence techniques.
My personal opinion on these different approaches is that if you start with DevSecOps or security in IT in general, the SAST approach makes the most sense. This is where the greatest potential threat can be eliminated with minimal effort.
Here you can identify four main groups, which we will go through briefly one after another to illustrate the advantages and disadvantages.
What is the Common Vulnerability Scoring System (CVSS), who is behind it, what are we doing with it, and what does a CVSS Value mean for you?
With CVSS, we have a value system for evaluating security gaps in software. Since there are no alternatives, the system has been in use worldwide for over ten years and is constantly being developed, it is a defacto standard.
The evaluation consists of three components.
If you need to store sensitive data in your system, you have to be sure that you have proper encryption in place.
First of all, you need to decide what kind of encryption you need —for instance, symmetric or asymmetric.
Also, you need to choose how secure it needs to be. Stronger encryption takes more time and consumes more CPU.
The most important part is that you don’t need to implement the encryption algorithms yourself. Encryption is hard and a trusted library solves encryption for you.
A couple of years ago, I attended a talk by my former colleague (but still friend) Volker Simonis. It gave me the idea to dig a bit into the subject of how to secure the JVM. From the material, I created a series of blog posts as well as a talk.
From that point on, I submitted the talk at meetups and conferences, where it was well-received. Because I like to explore different areas, I stopped to submit other proposals. Still, the talk is in my portfolio, and it was requested again in 2021. I have already presented it twice since the beginning of the year at the time of this writing.
It allowed me to update the demo with version 16 of the JDK. In this blog post, I want to share some findings regarding the security changes regarding changing a field’s type across JDK versions.
The user’s perspective matters. There is a material difference between the importance and impact on Java deployments and the notion of what “priority” is for issues in the Java Bug System.
The issue notes and material circulated on OpenJDK lists tend to center, for good reason, on the needs and concerns of developers who build and maintain OpenJDK. In fact, an inverse relationship often exists. Some of the most important and impactful items in OpenJDK updates in recent years were categorized as lower priority in the Java bug system.